Hello friends here we will see how to block DDoS attacks on server with steam using fail2ban and iptables

# Creation channel rejection flood udp 28
iptables -N REJECT_FLOOD28
iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
iptables -A REJECT_FLOOD28 -j DROP
#
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28


# Creation channel rejection flood udp 46
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP
#
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46install fail2ban

apt-get install fail2banit creates a filter fail2ban ddos

nano /etc/fail2ban/filter.d/ddos.confAdding

[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
it opens the file /etc/fail2ban/jail.conf and we add

[ddos]
enabled = true
port = 27015,27025,27050,28000,29000
protocol = udp
filter = ddos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
We restart fail2ban

/etc/init.d/fail2ban stop
/etc/init.d/fail2ban startAnd then during the attack you will find in your fail2ban.log

2009-10-14 19:11:43,702 fail2ban.actions: WARNING [ddos] Ban 78.22.165.162

this still do not work

we have debian linux, and they still can attack us

this still do not work

we have debian linux, and they still can attack us

Show me the rules as you put it :)

what rules you mean?

i did step by step what you provide

I'd suggest looking at the actual content of the packets, rather then just blindly looking at the size.. should be fairly easy to actually pick out the contents of the packets.

I'd suggest looking at the actual content of the packets, rather then just blindly looking at the size.. should be fairly easy to actually pick out the contents of the packets.

And then ? What do you do with random bytes :wink:

I recommend using 27015:27300 as portrange, the flood blocker works pretty well on my server.
I'm using it with ulogd to log the dos attacks to my mysql database, and a php script to generate a report of all attacks including IPs and an automatic lookup with player this IP belongs to :)

Doesnt work, on our Server Linux/Deabian
we goes s 23h DDoSed from 24h xD
is installed as the "HowTo" is


what for settings u need to see if all ok?

fail2ban.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 412 $
#

[Definition]

# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = 3

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR.
# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communication with the
# daemon.
# Values: FILE Default: /tmp/fail2ban.sock
#
socket = /tmp/fail2ban.sock


jail.conf

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <[email protected]>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

# Following actions can be chosen as an alternatives to the above action.
# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
# into jail.local

# Default action to take: ban & send an e-mail with whois report
# to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
# mail-whois[name=%(__name__)s, dest=%(destemail)s]

# Default action to take: ban & send an e-mail with whois report
# and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
# mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]

# Next jails corresponds to the standard configuration in Fail2ban 0.6
# which was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6


[apache-noscript]

enabled = true
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled = true
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 6


[proftpd]

enabled = true
port = ftp
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled = true
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled = true
port = smtp
filter = postfix
logpath = /var/log/postfix.log


[couriersmtp]

enabled = true
port = smtp
filter = couriersmtp
logpath = /var/log/mail.log


[sasl]

enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log

[ddos]
enabled = true
port = 27015,27025,27045,27050,27055,28000,29000
protocol = udp
filter = ddos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
#action = iptables-multiport[name=ddos, port=27015,27025,27045,27050,27055,28000,2900 0, protocol=udp]

27015,27025,27045,27050,27055 thats our Counter Strike Source Ports
27015,27045 gets always DDoS

filter.d/ddos.conf

[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28


zBlock works fine, but we can add it.
we have a Zombieserver and zBlock doesnt work with Zombiemod.
it crash always the server.

And then ? What do you do with random bytes :wink:

I recommend using 27015:27300 as portrange, the flood blocker works pretty well on my server.
I'm using it with ulogd to log the dos attacks to my mysql database, and a php script to generate a report of all attacks including IPs and an automatic lookup with player this IP belongs to :)

The tools people are using to do this send out predictable packets. You can detect then either block or log these packets

I assume this is only for linux?

zeroibis, a Windows solution may be to block ping requests from being sent to your server (windows firewall perhaps). Might not have the same effect, but it seems to have worked for me.

it works on debian??

for ubuntu 10.04

this line
logpath = /var/log/messages.logshould be
logpath = /var/log/messages

Thank you for the tut

the ddos.conf content as shown in this thread prevents fail2ban to start.
is anybody having a working ddos.conf?

my ddos.conf is same as in the first post, and it works just fine
you should change IN=eth0 to your own external interface, or interface where is server you running

[Definition]

failregex = IPTABLES-FLOOD LENGTH (28|48): IN=eth0:0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28

fail2ban still fail to start with this ddos.conf

check your fail2ban.log

nothing in /var/log/fail2ban.log

then double check that you properly installed this solution

Hi there.

I just got DDOS'd YAY >:/

After having my ip changed through gs.com I want to make sure I'm protected for sure.

Could someone please lay out the idiots guide to how to install this for me. Because I just don't want to screw it up. :)

Thanks.


I have a Linux L4D/L4D2 server.

I can't imagine this working. More professional DDoS attacks rely on sending the maximum amount of data on random UDP ports per packet. The idea is to overload the router with data. In this manner, there is no possible way to, with software, block a DDoS attack.

Mainly, underage script kiddies rely on ICMP packet flooding (Ping protocol) with a copious amount of ping.exe files running. The end result would the be the same (overloading the router) if the attacker's connection was strong enough to send that many packets. However, most likely it isn't, and results in lag instead of an actual denial of service.
Edit: More recently, kids have been buying $10 VPS accounts and using them to run packet flooding scripts.

In conclusion, your router would be overloaded before the packets had a chance to reach your server. Typically, this is what can bring down a network of datacenter servers that were attached to a single router. It is for this reason that DDoS attacks must be prevented at the hardware level, and this is actually done by some datacenters, which actually advertise their "DDoS protection." I have purchased one of those servers, and I have to say that it protected me from an attack that used hundreds of bots (each with at LEAST 10 mb/s)

You guys should first know the difference between DoS and DDoS Attacks.

DDoS != DoS.

And I think we are talking about DoS attacks here, which can be blocked by filters. DDoS can't be blocked by the system, if anything can block DDoS attacks then it would be load balancers...

You guys should first know the difference between DoS and DDoS Attacks.

DDoS != DoS.

And I think we are talking about DoS attacks here, which can be blocked by filters. DDoS can't be blocked by the system, if anything can block DDoS attacks then it would be load balancers...

This is exactly what I was trying to point out. This man has the correct idea, guys. You should listen to him.

Steven, I'm pretty sure I know what it is. I've had it done to me before on my home connection.


>:/

I may not know everything about it, but I know the symptoms. So if this won't work for DDoS then I should look somewhere else.

Steven, I'm pretty sure I know what it is. I've had it done to me before on my home connection.


>:/

I may not know everything about it, but I know the symptoms. So if this won't work for DDoS then I should look somewhere else.

Wow you should rely read the ONLY way to slow a true DDoS is have load balancing. But good thing most people who DDoS game servers are script kiddies and use SyN floods so you should just use iptables on the input chain to drop not reject all SyN/ICPM packets just google it also you can set iptables to stop people from flooding you udp ports. Between thoes two things you should slow down or even stop weak DDoS attacks. Do not think this is a 100% fix for DDoS attacks......

You should read, I never said I could stop it I just said i'd have to look somewhere else to try and fix the issue. It's a bit hard when the guy that did it to me keeps trying to find my new server. So i'm paranoid. Also, I know how the whole script things goes it's not like their aren't a gazillion people that are silly on hl1 mods spamming them to death :P

Group,

I'm trying to understand 1) how to implement this, 2) how this works.

In the IP Tables rules, the following is presented,

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28

Does the "your_port" part mean, the ports which my game servers are on? For example, 27015, 27016, etc?

Also, what part does the fail2ban program play in the equation?

Much thanks in advance!
Knight
Knight Vision Systems
http://www.knightvisionsystems.com

Group,

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28Does the "your_port" part mean, the ports which my game servers are on? For example, 27015, 27016, etc?


Hi, sorry for late intervention, i just was googling, and arrived here...

Yes, here is to monitorize the port, but I have removed the port, to monitorize all, even, in my server I have just 5060, and 443 open... But I did:

iptables -A INPUT -i eth0 -p udp -m length --length 28 -j

But I have a question:

In the jail conf, I'm missing the action, dose the action should be to deliver back to the iptables?? I have did:

[ddos]
enabled = true
#port = 27015,27025,27050,28000,29000 ## I comminted out the port, to monitor all ports!
protocol = udp
filter = ddos
logpath = /var/log/messages
maxretry = 2
bantime = 60000
action = iptables[name=ddos-404-SLT] ## Dose this action here is correct??


Thank you in advance!

opens the file /etc/fail2ban/jail.conf and we add

What the fuck did I see here now?



Bad idea. Upgrades overwrite jail.conf.:rtfm:


9 # HOW TO ACTIVATE JAILS:
10 #
11 # YOU SHOULD NOT MODIFY THIS FILE.
12 #
13 # It will probably be overwritten or improved in a distribution update.
14 #
15 # Provide customizations in a jail.local file or a jail.d/customisation.local.

According to this article https://gamebanana.com/threads/128192
cstrike-planet.com disappeared 11 years ago. [counter-strike] has been default in fail2ban years before this thread was written.

I see IP rules threads to offloading module threads while we have had one all along with fail2ban preconfigured. The logpath is out of date and needs to point to /var/log/messages in most instances.



/etc/fail2ban/jail.conf

[counter-strike]

logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,270 37,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,2700 6,27007,27008,27009,27010,27011,27012,27013,2 7014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]